[GF-Users] tlsrpt-reporter and SELinux (was: GF10 is now released!)

[Peter]

I pushed out some new tlsrpt-reporter packages to the gf-testing repo. 
Due to the scope of the changes I didn't want to push them out to the 
main repo until I know that the changes work and don't break anything. 
There are now three packages total:

tlsrpt-reporter - This is now a meta-package that doesn't actually 
install anything itself but contains tlsrpt-reporter-core and 
tlsrpt-reporter-selinux as dependancies.

tlsrpt-reporter-core - This now contains everything that tlsrpt-reporter 
used to contain, so if you want to install tlsrpt-reporter without the 
selinux policies you can just install this package.

tlsrpt-reporter-selinux - This will install the selinux policies to 
allow postfix to connect to the tlsrpt-reporter sockets.

To install or update to this new release:

dnf --enablerepo=gf-testing install tlsrpt-reporter

Please let me know if this fixes the selinux issues, or if not, can you 
share a copy of the new denials from audit.log?


Peter


On 24/08/25 15:25, Peter wrote:
> I recall I was going to do something about the systemd issue but it fell
> through the cracks.  The last thing I came up with which I believe is
> the appropriate remedy is as follows:
> 
>> Create a new selinux type: system_u:object_r:tlsrpt_var_run_t and set
>> context for /var/run/tlsrpt to that type.
>>
>> Create a new policy allowing write and sendto for postfix_smtp_t to
>> tlsrpt_var_run_t.
>>
>> That should allow postfix to access the socket properly without blowing
>> out access to a bunch of other files as well.
> 
> I'm thinking of actually doing this from a separate package
> (tlsrpt-reporter-selinux-policies) and setting that as a "Recommends"
> for the tlsrpt-reporter.  This way people are not forced to install the
> selinux policies if they have another solution in mind.
> 
> 
> Peter